The team noted that although Android phones feature GPS indicator that flashes on and off when an app is trying to access the user's location, most people never notice it or simply misunderstand the message being conveyed by the icon.

Their app—which they tested on several Android devices running apps including Firefox and Tunein Radio—bridges that communication gap by flashing a message across the handset’s screen: "Your location is being accessed by [app name]."

The idea is to get consumers thinking about why apps such as Angry Birds and Dictionary.com collect location and device ID information and to find out whether awareness of this data collection will affect users' attitudes towards apps. As expected, participants in the study [pdf] featuring the app were surprised at how often some apps accessed their location, and that some other apps accessed their location at all.

The team says it is putting the finishing touches on its app (currently known as the RutgersPrivacyApp) so they can make it available at the Play Store.

Which Retail Stores Haven’t Been Hacked?

Last week, we asked which chains, other than Target and Neiman Marcus, had seen their point-of-sale systems give away the store with respect to their customers’ credit card information. We noted that security researchers had already uncovered evidence that half a dozen more companies had had their digital pockets picked. But apparently that was the tip of the iceberg. It was revealed this week that payment card information has been stolen from several dozen retailers’ networks since the end of October. The culprit in the overwhelming majority of those cases was a memory-scraping malware program called ChewBacca. The program—so named because the Star Wars character appears prominently on the login page for the server that collected data from infected machines—also has a keylogger and installs an executable file that lets it survive system reboots.

Though ChewBacca was first identified by researchers at Kaspersky Lab in a December blog post, much of what we’ve learned about it since has been uncovered by antifraud researchers at RSA. After analyzing the malicious code and its command-and-control infrastructure, RSA figured out that 32 of the 45 affected retailers are based in the United States; others are in Russia, Canada, and Australia. The researchers wouldn’t reveal the identities of the compromised retailers, saying only that they have advised the companies to report everything they know to the proper authorities.

Hackers R Us

An international law enforcement operation has netted the low-hanging fruit on the tree of online criminal activity. Officials proudly announced that they’ve snatched up 11 people in the United States, India, China, and Romania and have charged them with crimes based on their alleged involvement with websites offering e-mail hackers for hire. Authorities say the suspects—who were the operators of websites such as needapassword.com—or the sites’ clients were responsible for hacking into fewer than 10 000 e-mail accounts. Meanwhile, the cybercriminals that run phishing schemes aimed at gaining access to tens of thousands of inboxes at a clip go on unmolested.

Oracle’s Jedi Mind Trick: This Is Not a Security Flaw; It's a Configuration Error

Bad: Two vulnerabilities in Oracle’s older database packages allow hackers to access a remote server, view the server’s file system, and dump files—all without a password. Worse: More than two years after security researcher Dana Taylor reported the flaws, Oracle has yet to release a patch for one of them, and, according to Taylor, the patch belatedly created for the other didn’t actually fix the vulnerability. Worst—for Oracle, anyway—Taylor kept detailed notes on her interactions with the company.

3VILDATA Blogger Discovers Key to Making Good Modems Go Bad

Security researcher and blogger Andreas Lindh reported this week that hackers can take advantage of security holes in some USB modems and force the machines to send malware-laced text messages to any phone number or act as staging areas for spear-phishing attacks. Lindh declined to identify the manufacturer of the device upon which he carried out the exploit because he had yet to notify the vendor.